MAL-2026-168

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zuora-marketing/linting/MAL-2026-168.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-168
Published
2026-01-08T15:40:55Z
Modified
2026-01-15T22:21:59.070138Z
Summary
Malicious code in @zuora-marketing/linting (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ddcfd1151af868e694a4a79307ce1284331ad88b8ff631651f3fd2c47fbf342a)

The package @zuora-marketing/linting was found to contain malicious code.

Source: ossf-package-analysis (02e59dfc0bb58f27949258caefffd5c13d5c3af111b8c069edf5ea6e0e985f22)

The OpenSSF Package Analysis project identified '@zuora-marketing/linting' @ 5.1.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "5.1.0"
            ],
            "sha256": "02e59dfc0bb58f27949258caefffd5c13d5c3af111b8c069edf5ea6e0e985f22",
            "modified_time": "2026-01-08T15:40:55Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-01-08T15:41:30.366112511Z"
        },
        {
            "versions": [
                "6.1.1"
            ],
            "sha256": "6ac2fac151a4dc27d6767c679c92664cbd80bdd566ae85b259a46155e73596f3",
            "modified_time": "2026-01-08T18:27:59Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-01-08T18:45:03.309095836Z"
        },
        {
            "versions": [
                "5.1.0",
                "6.1.1"
            ],
            "sha256": "ddcfd1151af868e694a4a79307ce1284331ad88b8ff631651f3fd2c47fbf342a",
            "modified_time": "2026-01-15T21:43:07Z",
            "source": "amazon-inspector",
            "import_time": "2026-01-15T22:07:42.096674975Z"
        }
    ]
}
References
Credits

Affected packages

npm / @zuora-marketing/linting

Package

Name
@zuora-marketing/linting
View open source insights on deps.dev
Purl
pkg:npm/%40zuora-marketing/linting

Affected ranges

Affected versions

5.*
5.1.0
6.*
6.1.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zuora-marketing/linting/MAL-2026-168.json"